topic Re: Insecure Management Interface on a Modem in Tech Talk

Insecure Management Interface on a Modem

ericgeater — Thu, 24 Oct 2019 12:48:00 GMT

Good morning, y'all. If a modem vendor sells an internet-facing device which has an HTTP interface that supports neither SSL nor TLS (only 80 or 8080), and HTTP is the only method of remotely accessing this device without going through several undocumented steps to crank up SSH... and if this is the only solution we can have before a go-live next week, what's a safe minimum number of characters for the admin password?

If you think it's weird that SSH isn't already configured, you'll really think it's strange knowing WAN-side HTTP can't be turned off.

thanks!

Re: Insecure Management Interface on a Modem

CraginS — Thu, 24 Oct 2019 16:50:07 GMT

Uh.. buy a new modem?

Craig

Re: Insecure Management Interface on a Modem

denbesten — Thu, 24 Oct 2019 16:54:27 GMT

There is no safe number. You are one packet away from a successful replay-attack.

I would use the longest string supported by the vendor until such time that the vendor can provide a better solution or I was able to switch vendors.

Re: Insecure Management Interface on a Modem

ericgeater — Thu, 24 Oct 2019 16:55:28 GMT

I called their support desk, and they understand the nature of my complaint. I'm hoping they know of a solution that wasn't spelled out in their Quick Start guide.

Re: Insecure Management Interface on a Modem

ericgeater — Thu, 24 Oct 2019 17:00:41 GMT

I would imagine the greater threat to be having always-on access to the HTTP interface, and therefore unlimited tries to guess the password. How would a replay attack work here? I think I've forgotten that... it's been a while.

Re: Insecure Management Interface on a Modem

Shannon — Thu, 24 Oct 2019 17:51:41 GMT

@ericgeater wrote:
If a modem vendor sells an internet-facing device which has an HTTP interface that supports neither SSL nor TLS (only 80 or 8080), and HTTP is the only method of remotely accessing this device without going through several undocumented steps to crank up SSH... and if this is the only solution we can have before a go-live next week, what's a safe minimum number of characters for the admin password?

Like @denbesten said, changing the length of your password isn't going to make any difference here.

@ericgeater wrote:
... you'll really think it's strange knowing WAN-side HTTP can't be turned off.

If the ability to login via the network can't be disabled, it's a surprise & a big concern. If the vendor has been so lax with the security of this product, I'd suggest you also do an online lookup to see if it has other security concerns.

Information Security policies you set in your organization should dictate minimal security requirements, and state how to handle exceptions.

Treat this as a risk. Prepare a report portraying the impact & probability in a matrix, say that the vendor has offered no solution & there's nothing much to mitigate this, and finally, recommend that the modem be replaced.

Send the report to management, after which they will have to decide whether to accept the risk or treat it.

This is essentially a 'cover your a**' strategy --- if there's any negative impact due to this risk, you might end up taking the fall if you never brought it to management's attention.

(To play it absolutely safe, get them to give you a written confirmation about accepting the risk before the go-live.)

Re: Insecure Management Interface on a Modem

Shannon — Thu, 24 Oct 2019 18:09:52 GMT

The vulnerabilities in this situation would be the inability to disable HTTP logins via the network, and the lack of support for SSH.

The threat is these being exploited to obtain the password by capturing the data in transit and re-using it, or simply initiating a new session for an unauthorized login to the device.

To supplement my previous post, you could implement deterrent & detective controls --- setting up a banner on the device, and configuring logging / alerts --- but I feel that if you can't use a preventive control in the 1st place, there's not much use in the others.

(Anyways, put it all in a report, and throw the ball in your management's court )

Re: Insecure Management Interface on a Modem

denbesten — Thu, 24 Oct 2019 22:32:20 GMT

@ericgeater wrote:
How would a replay attack work here? I think I've forgotten that... it's been a while.

I'm was being brief in my verbiage. I see three primary attack scenarios:

If somebody could insert themselves between you and your device, they could with a simple packet capture learn your password, which they could then later use to log themselves in. This is what I was calling a replay attack -- collecting and reusing part of your session.
A brute-force attack, wherein somebody repeatedly tries to login using a list of passwords. Length will help here, which is why I suggested "as long as supported".
An authentication-bypass attack whereby somebody finds/exploits a flaw in the modem that grants them non-credentialed access. Think Bobby Tables against the login page and you have the right idea.

And as you identified, the best solution is to not expose admin interfaces to the Internet.

If your goal is internet-based out-of-band management, I would suggest some sort of filter/ACL that only allows connections from your own source IP addresses.

Re: Insecure Management Interface on a Modem

ericgeater — Sun, 27 Oct 2019 17:00:15 GMT

I appreciate your follow-up answer, btw, because I was thinking more along "password capture" than "replay attack". To that end, thanks for the added detail.

I am going to take @Shannon's advice and get management to sign off. I didn't mention, by the way, that the next (and ONLY) item behind the modem is a firewall appliance. The modem only NATs traffic, and has no role or participation in the overall security.

Thanks for the replies, everyone.